Home / malwarePDF  

Win32/Qakbot


First posted on 12 February 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Qakbot.

Explanation :

Win32/Qakbot is a multi-component family of malware that allows unauthorized access and control of an affected computer. By allowing remote access, this backdoor trojan can perform several actions including stealing sensitive information. Some variants of this malware may attempt to spread to open shares across a network, including the default shares C$ and Admin$.

Installation

Win32/Qakbot can infect a computer through a number of exploit-based attacks or by being downloaded and installed by other malware. In the wild, we have observed Qin32/Qakbot being hosted on a number of malicious web sites that attempt to exploit vulnerabilities in Adobe flash. We have observed the following hosts being used to install Win32/Qakbot:

  • nt11.co.in
  • nt002.cn
  • nt16.in
Using these hosts, Qakbot downloads an installer which then downloads more components. The installer downloads an archive package, which is decrypted and installed by the installer.\ Older variants of Qakbot used the following file names for their components:
  • msadvapi32.dll
  • _qbot.cb
  • _qbotinj.exe
  • _qbot.dll
  • _qbotnti.exe
  • seclog.txt
  • si.txt
  • ps_dump
  • qa.bin
More recent variants alias these files to randomly generated file names, for example:
  • msadvapi32.dll=voxivm94cw.dll
  • _qbot.cb=voxivm9.dll
  • _qbotinj.exe=voxivm94.exe
  • _qbot.dll=voxivm94.dll
  • _qbotnti.exe=voxivm94lx.exe
  • seclog.txt=voxivm.dll
  • si.txt=ibggih
  • ps_dump=yamy
  • qa.bin=axnrkeg
  • nbs=ziqotf
These randomly generated file names differ on each machine on which the malware is installed. The file names are built around a randomized root, with additional randomized characters based on information stolen from the affected PC. We have also seen recent variants installing the following files:
  • %APPDATA% \microsoft\jwkljxnw\jwkljx.dll
  • %APPDATA% \roaming\microsoft\jwkljxnw\jwkljxn.exe
Once installed, Qakbot replaces existing registry data found in subkey "HKLM\Microsoft\Windows\CurrentVersion\Run" so that the malware runs at each Windows start. The malware prepends itself to a previously existing entry. For example, we have seen it create the following registry entry: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: ""%APPDATA%\microsoft\jwkljxnw\jwkljxn.exe"

Spreads via€¦

Network shares

Win32/Qakbot might try to spread to open shares across a network, including the default shares C$ and Admin$.

Payload

Allows backdoor access and control

Win32/Qakbot may connect to a remote server in order to receive commands from a remote attacker. Commands could include any of the following actions:
  • Log keystrokes
  • Get the host's IP address and name
  • Steal cookies and certificates
  • Monitor Favorites and visited URLs
  • Steal passwords from Internet Explorer, MSN Messenger, and Outlook
  • Steal Autocomplete information
  • Download and install updates
  • Upload stolen data to an FTP server
Performs stealth

Recent variants of Win32/Qakbot employ a rootkit that hooks various APIs and hides the Qakbot installation directory and files, as well as the registry entry that loads the malware.

Additional information

  • Download the Qakbot family threat report for more information
  • Implement strict provisioning and administration practices
  • Backdoor:Win32/Qakbot.T
  • W32/Pinkslipbot threat advisory










Analysis by Dan Kurc

Last update 12 February 2016

 

TOP

Malware :